Erasing a stored information pattern on a storage medium with progress indication

ABSTRACT

According to an embodiment, a method is presented of erasing, in a document data processing device, a stored information pattern on a rewritable data carrier that is accessible by a data processing facility of said device, the document data processing device having primary processes for processing document data, wherein data may be stored on the data carrier, and secondary processes for erasing stored data, through overwriting a selected storage area of the carrier by a shredding pattern. According to the method, the primary and secondary processes are run asynchronously, i.e. the secondary processes are run in background, in order not to hinder the primary processes, and the progress of the erasing process is dynamically displayed for the operator to give an indication of an internal data security situation.

This application is a Continuation of co-pending application Ser. No.11/014,980 filed on Dec. 20, 2004, and for which priority is claimedunder 35 U.S.C. §120; and this application claims priority ofApplication No. 03078991.1 filed in Europe on Dec. 19, 2003 under 35U.S.C. § 119; the entire contents of all are hereby incorporated byreference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention relates to a method of erasing, in a document dataprocessing device, a stored information pattern on a rewritable datacarrier that is accessible by a data processing facility of said device,the document data processing device having primary processes forprocessing document data, wherein data may be stored on said datacarrier, and secondary processes for erasing stored data, throughoverwriting a selected storage area of said carrier by a shreddingpattern, wherein the method includes running said primary and secondaryprocesses completely or partly asynchronously, i.e. starting a primaryprocess irrespective of the completion of any pending secondaryprocesses.

2. Discussion of the Background Art

Background art has recognized that magnetic hard disks and other more orless similar storage facilities are increasingly vulnerable to readingof confidential data that is stored thereon. A first type of attack mayoccur through a hacker “entering” the facility via a data network. Suchinterference may be countered by relatively simple operations, such asencrypting the data before storing them on the internal hard disc,deleting the entry of the particular data file in the fileadministration of the carrier, or—preferably—overwriting the data.

A more serious type of attack may occur after physical removal of such adisk from a Personal Computer, from a Digital Access Controllerassociated to a printing facility, or other. Deleting the fileadministration of the carrier will then be to no avail.

Reformatting the carrier or over-writing by a so-called shreddingpattern provides improved security, but there are techniques fordetecting bit patterns that have been overwritten. A single “datashredding” run is therefore insufficient when deletion of certain datais really important.

Overwriting data with a plurality of shredding runs involving multipledifferent bit patterns, further to be called: shredding patterns, isgenerally considered as an effective policy, wherein the construction ofthe shredding patterns should be appropriate to the intended degree ofsecurity.

The data carrier can be based on various different writing/storingtechnologies, such as magnetic, magneto-optical, optical such as in arewritable CD, and other. Usually, the geometrical storage organizationis based on a kind of track, that may be a cylinder, a spiral, astraight line, or other. The storage physics is based on some kind ofremanence property of the storage substrate.

In particular, United States Published Patent Application 2002/0181134to Bunker et al. discloses the application of user-selectable shreddingpatterns. The present inventors have recognized that this prior arttechnology may offer enough protection against infringers, but that thelong time required by the overall shredding will keep the dataprocessing proper, e.g. printing, stalled for an often highly neededtime interval and may therefore severely degrade system performance.

Furthermore, an overall discussion of shredding operations and otherrelated items is given in P. Gutmann, “Secure Deletion of Data fromMagnetic and Solid-State Memory”, Sixth USENIX Security SymposiumProceedings, San José, Calif. USA, Jul. 22-25, 1996, downloadable athttp://www.usenix.org/publications/library/proceedings/sec96/gutmann.html.

SUMMARY OF THE INVENTION

In consequence, amongst other things, it is an object of the presentinvention to give an operator an indication of the internal datasecurity situation.

Now therefore, according to one of its aspects, the invention ischaracterized in that the method further includes dynamicallyautomatically determining overall progress of secondary processes in thedevice and displaying the same on a display of the device to give anindication of the internal data security situation.

With this indication on the device display, a user can instantly see ifthe data that should be removed are indeed gone. The progress can alsobe shown on the workstation of the system administrator.

The invention also relates to an apparatus being arranged forimplementing the method of the invention.

Further advantageous aspects of the invention are recited in dependentclaims.

BRIEF DESCRIPTION OF THE DRAWINGS

These and further features, aspects and advantages of the invention willbe discussed more in detail hereinafter with reference to the disclosureof preferred embodiments of the invention, and in particular withreference to the appended Figures that illustrate:

FIG. 1 is a system block diagram pertaining to the present invention;

FIG. 2 is an operation diagram without shredding being applied;

FIG. 3 is an operation diagram with synchronous shredding;

FIG. 4 is an operation diagram with asynchronous shredding;

FIG. 5 is an operation diagram with mixed mode shredding;

FIG. 6 is a flow diagram of a mixed (a)-synchronous shredding operation;

FIG. 7 is a Table of shredding patterns;

FIGS. 8A and 8B show examples of user interface windows for controllingdata erasure according to the invention;

FIG. 9 shows an example of a user interface window for shredding processsupervising.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

In the following, the term “shredding” will be used for erasure ofstored data patterns on a hard disc or other re-writable storage media.

FIG. 1 illustrates a system block diagram pertaining to the presentinvention. The Figure is generally symbolically organized, so thatvarious respective blocks will represent operations rather thanidentifiable hardware modules. Elements 10 represent the relevantsoftware processes of the controller of a device in which the inventionis practised, such as a printer. The processes 10 make use ofjob-related files 12, stored in the internal disc of the device. In thecourse of the processes 10, some of the job-related files may no longerbe needed, and in the context of the present invention, such filesshould be effectively erased. For that purpose, an erase file process isissued for such a file, as indicated by reference number 14. Erasuretakes place in the form of over-writing the relevant data storagelocations on the device disc, further to be called: shredding. Duringthe shredding, the original data are over-written with various bitpatterns, ranging from simple sequences of all zeroes to complexpatterns of zeroes and ones.

The erase file process 14 is controlled by a set of user-defined ordefault parameters 16. Such parameters are for instance:

synchronous/asynchronous/combined shredding

number and selection of shredding patterns

shredding priority.

The terms used here will be explained in the description below.

In reaction to the issuing of an erase file process 14, a shreddingprocess 18 is activated (symbolized by arrow 20) for the specified file,and in accordance with the erasure parameters 16. Actual bit patternsfor the shredding process are specified in a list 22, accessible for theprocess 18.

Before further describing the actual operation of the shredding process,we will now first explain several different shredding techniques as usedherein, with reference to FIGS. 2, 3, 4 and 5. This example is directedto a printing application, but may, mutatis mutandis, also be applied toother document processing operations such as scanning and copying.

In printing, a print file is received via a network and stored in thesystem disc of the printing facility or printer. The file may beencrypted in the case of secure data transport, or it may be encrypteddirectly after receipt. Print files wait in a print queue until they canbe processed. When the printer is ready to process a print job, it readsthe print file from disc, if necessary decrypts it and processes theprint file by rasterizing it, and subsequently prints the rasterizedfile. In a standard situation, the file would thereupon be ready andneed no longer be used at the printing facility.

FIG. 2 illustrates a an operation diagram without shredding beingapplied.

As an example, print jobs are symbolized by sequences of three printsheets, but it will be clear that in fact print jobs may comprise anynumber of sheets. As shown, a first print job Job1 is processed firstand is followed by a second print job Job2.

FIG. 3 illustrates an operation diagram with so-called “synchronous”shredding as is known from the prior art. For simplicity, the sameconfiguration of jobs as in FIG. 2 has been assumed. Now, at the end ofexecuting Job1, the associated file is considered out-of-use. Thereupon,the shredding of Job1 is effected immediately. Subsequently, theexecution of Job2 is effected. Of course, Job2 may become due forshredding as well. The requirement for shredding may be determined onthe basis of an intended security level that can be non-uniform over thejobs. In an exemplary embodiment, only files protected by a PIN-codewould be shredded (to be explained later). The information shredded canbe the original information, and will preferably also include anyintermediate or temporary data files created in the process, datarendered out-of-date through updating, such generally as consideredappropriate vis-à-vis the intended security level. Generally, the actualoperating system will know where to find such intermediates, even if theapplication in question is based on running third party software.Evidently, there may occur an unwanted delay in the processing of Job2,due to the preference given to the immediate or synchronous shredding ofJob1.

By contrast, FIG. 4 illustrates an operation diagram with so-called“asynchronous” shredding according to the present invention. As soon asJob1 is finished and the associated files are up for shredding, theshredding of Job1 is actually started, provided that the execution ofJob2 can proceed for some time interval without storage access. If suchaccess becomes necessary, it can take preference over the shreddingoperation, as based on some preference criterium. This renders theshredding “asynchronous” regarding the decision “to-be-shredded”. Theshredding is triggered automatically on the basis of certain criteria.Subsequent to the interrupting, the shredding can proceed again. Theprocedure is executed likewise regarding the shredding of Job2 duringexecution of Job3. Thus, the shredding can occur in a time-distributedmanner.

In a related and particularly advantageous embodiment of the presentinvention, shown in FIG. 5, the shredding occurs in a mixed manner: Forexample, the first few, preferable only the first) shredding run wouldbe immediate, automatic and synchronous, i.e. before the next job isstarted. Further shredding runs would then be asynchronous. In thisembodiment, the file can no longer be read by the system (although itwould still be possible to reconstruct the stored data pattern usingsophisticated analysis applied to the physical disc). Still, the mosttime-consuming part of shredding, the multiple overwriting, is done inthe background and will not hinder the processing of the succeedingjobs.

Now, returning to FIG. 1, and in connection to the above-described mixedshredding mode, the shredding process 18 first removes thefiles-for-shredding from the file administration 12 by renaming them andmoving the pointers to another storage location 24 (operation symbolizedby arrow 26), that is dedicated to synchronous shredding. The datalocations of the files are immediately overwritten with one or a limitednumber of shredding patterns.

After finishing the synchronous scanning operation, the shreddingprocess 18 returns a “done” message to the erase file process 14(symbolized by arrow 32), such that the erase file process 14 may signalthe relevant primary process 10 that it may resume operation, and movesthe pointers to the (shredded) files on to a next storage location 28(operation symbolized by arrow 30), that is dedicated to asynchronousshredding. The data locations of the files are now further overwrittenin a background process, not further hampering the primary processes forthe actual document data processing 10.

During the shredding process, status information of the process iscommunicated by the shredding process 18 to a display process 36 forinforming an operator of the security situation of the system, as willfurther be explained with reference to FIG. 9.

As an alternative to the mixed mode shredding explained above, alsofully asynchronous scanning may be effected for less importantinformation. This mode can easily be done with the same composition ofprocesses and structures as shown in FIG. 1, with the exception thatfiles for shredding are removed directly to the storage location 28dedicated to asynchronous shredding. This is symbolized by hatched arrow34 in FIG. 1.

A particularly relevant application of the asynchronous shredding occurswith a shared printer facility, because such a printer may be sharedamong various different persons and groups. In such a case, security isall the more important. In particular, an advantageous organization ofthe present invention would be applied to printers using a mailboxconcept as is featured by several printers and digital copiers, e.g.those marketed by Oce: therein, all yet unprinted files reside in themailbox, and, moreover, printed files will remain there for some time,until they are actively (or automatically, after a predetermined timeinterval of, say, 24 hours) removed. The mailbox is implemented asnon-volatile memory, such as a hard disc. Therefore, if a user deletes afile from the mailbox, it is not only deleted from the fileadministration, but also shred. Also in this case, it is advisable toexecute the first shredding run in a synchronous manner, i.e.immediately after the delete command. Of course, for optimal securityall job files should be stored in encrypted form and only be decryptedwhen the data are needed for printing, while decrypted data are kept involatile memory only.

Further, the invention can be applied in a digital copying and ascanning environment. Digital copying and digital scanning arenotoriously data intensive. This raises the need for effectiveshredding.

Note that in a situation like FIG. 4 or 5, the effective shreddingoperation of Job1 may extend beyond the start of Job3, so that variousjobs can be simultaneously in the course of being shredded. This willrequire determining some prioritizing among the various shredding runs,as will be discussed infra.

The above shredding procedure started from the level of the individualfile or bottom up. Another manner is to start on the system level:freeze the overall operations, and determine on the basis of file systemoperations whether deleted files should be shredded. This procedure willneed an approach based on sector analysis. Usually, the operating systemwill sufficiently know the organization on the sector level.

FIG. 6 illustrates a flow diagram of a mixed (a)-synchronous shreddingoperation. In block 40, the operation starts, and the necessary hardwareand software facilities get claimed. This operation will for exampleoccur at power-up. In block 42, the system determines that a particularfile or storage area is no longer needed. The organization of apertinent waiting loop has not been shown. In block 43, the systemdetermines whether shredding is necessary. If not, the system goes toblock 52. If shredding is necessary, the system goes to block 44, todetermine whether synchronous shredding is necessary. If not, the systemgoes to block 48. If synchronous shredding is necessary, the system goesto block 46, for executing the synchronous shredding. Thereupon, inblock 48, the asynchronous shredding is executed.

Starting of the asynchronous shredding is triggered when an intervaloccurs in between the normal data processing operations. Such intervalcan be detected through only the start thereof, or through finding thata particular interval is predicted to have at least a certain length. Inthis latter case the shredding operation can on this lower level have atemporary precedence over the normal data processing. After a certainamount of shredding, the system may interrogate the standard dataprocessing as to its storage access requirements. Such backgroundprocessing is, however, a basic mechanism of the particular operatingsystem, and the precise implementation is not part of the presentinvention.

If shredding operations are in progress on more than one file, somepriority organization is maintained. A first solution □herefore is afirst-come-first-take basis, so that the files are treated according tothe sequence in which they were found shreddable, usually apart from thesynchronous part of the shredding operation. A second approach isthrough letting the ranking number of the shredding pattern (cf. FIG. 7)determine the priority. Still another approach is through assigning apriority level to all asynchronous shredding operations that pertain toa particular file. In a printer application, print files would takepreference over logging files.

Now, as long as the shredding must proceed, the loop of blocks 48 and 50(“ready?”) revolves. If shredding is ready, the system proceeds to block52, wherein the storage area in question is released for new systemusage. Thereupon, the system reverts to block 42.

For simplicity, the interaction between the shredding and the other dataprocessing operations has not been given in detail, but variouspriority-controlled operations may be executed. Such details areconsidered well within the knowledge of the skilled person.

Furthermore, a brief delay could be introduced immediately after thefinishing of a document data processing job, before a shredding processis allowed to start. Otherwise, if a new document data processing jobstarts, although it has priority over shredding processes, if ashredding process has claimed the disc, it takes some time for thepriority job to access its required storage locations on the disc.

Shredding, and more in particular the further shredding runs after asynchronous initial shredding run, may also be effected off-line, e.g.,just before shut-down of the system or at night or during quiet hours asa batch process. In fact, the storage sections used in print processingmay in this case be used again after the initial shredding run, and onlytheir use will be logged. Then, in the batch shredding at night, allfiles that have been logged as being used in the print processes duringthe day will be erased properly by shredding, leaving a “clean” systemat the end.

The level of effectiveness of data shredding depends on the number andcontent of the shredding patterns used. Every additional shredding runmakes retrieval of the original bit pattern on the storage medium moredifficult, the more so when the shredding patterns used differ from runto run. It is therefore within the scope of the present invention tooffer a settable security level to the users.

In a first embodiment, the printer driver window 70 shown on the user'sPC contains a security level setter in the form of a slide switch, aseries of radio buttons or any other appropriate means. The printerdriver window has a series of tabs and one of them (69), here designated“Erase Data”, wherein a security level can be selected by clicking theappropriate button, as shown in FIG. 8 a. Every security level relatesto a predefined combination of shredding procedures and bit patterns asfurther explained below in relation to FIG. 7.

The list of options in FIG. 8A includes:

“Highest”, in which the maximum number of shredding patterns (refer toFIG. 7) is used, in a synchronous manner

“High”, in which an initial synchronous shredding run is followed by anasynchronous process using a selection of, e.g. 15, shredding patterns

“Medium”, in which only an asynchronous shredding process is applied,with a limited number of shredding patterns

“Custom”, in which a user may select his own choice of number andselections of shredding runs, including applying them as synchronous orasynchronous runs.

Of course, other options would be within the scope of the invention.

In the basic screen of the printer driver, shown in FIG. 8B, there is atick box 71 for defining the particular print job as a security job.When a user does so, a forced dialogue will appear (not shown) for theuser to enter a PIN code, that he will be asked for when it comes toprinting the job. Other possible forms of security jobs involve othersecurity tokens that are suitable for identifying or otherwiseauthorizing a user, such as a fingerprint, iris scan or code card.Defining a print job as a security job automatically enforces erasure byshredding of the print data in the printer after finishing the job.

In an alternative embodiment, the selection of the security level isreserved for a super user (also known as “key operator”) or the systemadministrator, who may enforce a security level for all users, using aselection window similar to the one shown in FIG. 8 a.

FIG. 7 illustrates a Table of shredding patterns as proposed by Gutmannin his article mentioned in the introduction, which can be used in thepresent invention. The left hand column shows respective data passes orshredding runs. The second column shows the various shredding patterns.Certain thereof are random as generated by a random pattern generatornot shown. Others are produced by a sequence of more elementarypatterns, produced by appropriately repeating bit patterns as shown inthe column in a hexadecimal “shorthand” notation (“0x” signallinghexadecimal notation). For example, the seventh row would produce arepetition of the bit pattern 0x92, 0x49, 0x24, or “10010010 0100100100100100”. As shown, up to 35 shredding runs can be needed. An optimumcase is attained through executing 35 successive runs with variousdifferent patterns as shown. To attain a balance between possibleperformance degradation and the needed security, the number of erasurepatterns can be selected between 0 and 35. At 35 runs, the scheme isused as shown. When fewer runs are applied, a predetermined selection ismade.

FIG. 9 shows an information window 100 that can be projected on thelocal device display upon actuation of a key on the operating panel (notshown). It shows the actual security-related situation of the internalhard disc of the device, as entries for “data in use” (excluding systemfiles not related to document data), “data in erasure process”, and free(“clean”) disc space in bytes. A “fuel gauge” type display item 110 isadded to give a quick impression of the situation. In an alternativeembodiment, only entries for “data in use” including data scheduled forshredding, but not yet completely erased, are shown. It would of coursealso be possible to show the information specified in numbers of files.With this indication on the device display, a user can instantly see ifthe data that should be removed are indeed gone. The necessaryinformation to make the display can easily be delivered by the operatingsystem resident in the device controller and can be refreshed regularly,to give a dynamic situation display. The display window can also beshown on the workstation of the system administrator.

The present invention may be used advantageously for scanning andcopying in a very similar way. In scanning, on a dedicated scannerdevice or on a multifunctional device, a user must first enter his nameor other identification code, and may then scan documents. The scan dataare then stored on the system disc of the device in connection with theid of the user. The user may then return to his workstation, contact thescanner and fetch his scan file. According to the present invention, thescan data are then removed from the disc and the used disc sectors areerased by shredding.

In a copy operation, a scanner scans the original document, stores thescan data on the internal disc of the copier, whereafter the printerprints the copies from the disc. Shredding of the used disc space may bedone automatically or in reaction to a setting made by the operatorwhile setting the copy job parameters.

In all cases mentioned, a shredding procedure effected wholly or atleast partly as a background process according to the present invention,will only slightly disturb new print, copy or scan jobs.

Now, the present invention has hereabove been disclosed with referenceto preferred embodiments thereof. Persons skilled in the art willrecognize that numerous modifications and changes may be made theretowithout exceeding the scope of the appended claims. In consequence, theembodiments should be considered as being illustrative, and norestriction should be construed from those embodiments, other than ashave been recited in the claims.

1. A method of erasing, in a document data processing device, a storedinformation pattern on a rewritable data carrier that is accessible by adata processing facility of said device, the document data processingdevice having primary processes for processing document data, whereindata is stored on said data carrier, and secondary processes for erasingstored data, through overwriting a selected storage area of said carrierwith a shredding pattern, wherein the method includes running saidprimary and secondary processes completely or partly asynchronously, andthe method further includes dynamically automatically determiningoverall progress of secondary processes in the device and displaying thesame on a display of the device to give an indication of the internaldata security situation.
 2. The method as claimed in claim 1, whereinsaid selected storage area includes storage of temporary, intermediate,and other data used by an actual operating system during a particularprimary process.
 3. The method as claimed in claim 1, wherein saidoverwriting is terminated as based on a predetermined sufficientoverwriting activity on a storage area of predetermined sufficient size.4. The method as claimed in claim 1, wherein in the step of displayingthe progress of the secondary processes, data that have been stored bythe primary processes, including data scheduled for shredding but notyet completely erased, are displayed.
 5. The method as claimed in claim1, wherein in the step of displaying the progress of the secondaryprocesses, “data in use”, “data in erasure process”, and free (“clean”)disc space are distinguishably displayed.
 6. The method as claimed inclaim 5, wherein the step of displaying the progress of the secondaryprocesses, specifies the progress in the form of a “fuel gauge”.
 7. Themethod as claimed in claim 1, wherein the step of displaying theprogress of the secondary processes, specifies the data in numbers ofbytes.
 8. The method as claimed in any one of claim 1, 4 or 5, whereinthe step of displaying the progress of the secondary processes,specifies the data in numbers of files.
 9. The method as claimed in anyone of claim 1, 4 or 5, wherein said displaying of the progress ofsecondary processes in the device takes place on a local device display.10. The method as claimed in claim 1, wherein said displaying of theprogress of secondary processes in the device takes place on aworkstation display.
 11. The method as claimed in claim 1, wherein saiddata processing device comprises a printer, a scanner or a digitalcopier.
 12. A document processing device comprising: a data processingfacility; a local display; and a rewritable data carrier accessible bysaid data processing facility, said data processing facility runningprimary processes for processing document data, wherein data may bestored on said data carrier, and secondary processes for erasing datastored in said data carrier, through overwriting a selected storage areaof said carrier by a shredding pattern, wherein the data processingfacility is adapted to run said primary and secondary processescompletely or partly asynchronously, and the data processing facilityincludes: means for monitoring the overall progress of secondaryprocesses in the device, and means for dynamically displaying saidprogress on the local display, to give an indication of an internal datasecurity situation.
 13. The device as claimed in claim 12, wherein saidrewritable data carrier is a hard disc.
 14. The device as claimed inclaim 12, wherein said means for displaying said progress to an operatoris a local display.
 15. The device as claimed in claim 12, wherein saiddevice is a printer, a copier or a scanner.